+The following ASR rules DO NOT honor Microsoft Defender Antivirus exclusions:

+|**Semi - require approval for all folders** <br> (also referred to as *semi-automation*)|With this level of semi-automation, approval is required for remediation actions on all files. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. Pending actions time out after 7 days. If an action times out, the behavior is the same as if the action is rejected. <p> *This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined.*|

+- [ Microsoft Defender for Endpoint](../defender/microsoft-365-security-center-mde.md)

+- Microsoft Defender for Cloud

+- Microsoft Defender for Identity

+| [False positive](defender-endpoint-false-positives-negatives.md): An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. | 1. [Review and classify alerts](defender-endpoint-false-positives-negatives.md#part-1-review-and-classify-alerts) that were generated as a result of the detected entity. <br/>2. [Suppress an alert](defender-endpoint-false-positives-negatives.md#suppress-an-alert) for a known entity. <br/>3. [Review remediation actions](defender-endpoint-false-positives-negatives.md#part-2-review-remediation-actions) that were taken for the detected entity. <br/>4. [Submit the false positive to Microsoft](../intelligence/submission-guide.md) for analysis. <br/>5. [Define an exclusion](defender-endpoint-false-positives-negatives.md#part-3-review-or-define-exclusions) for the entity (only if necessary). |

+GET api/machines/HardwareFirmwareInventoryByMachine

+GET https://api.security.microsoft.com/api/machines/HardwareFirmwareInventoryByMachine

+Defender for Endpoint on iOS supports vulnerability assessments of OS and apps. Vulnerability assessment of iOS versions is available for both enrolled (MDM) and unenrolled (MAM) devices. Vulnerability assessment of apps is only for enrolled (MDM) devices. Admins can use the following steps to configure the vulnerability assessment of apps.

+1. On the Settings page, select **Use configuration designer** and add **DefenderFeedbackData** as the key and value type as **Boolean**.

+- Ensure the end users have company portal app installed, signed in and enrollment completed.

+ - Configuration Value: `true`

+>

+> However, the **ControlFilter** profile does not work with Always-On VPN (AOVPN) due to platform restrictions.

+| Oracle Linux RHCK | 7.9 | 3.10.0-1160 |

+| Oracle Linux UEK | 7.9 | 5.4 |

+ - Tenants with [role-based access (RBAC) permissions](../defender/manage-rbac.md) enabled

+2. Verify the download.

+ > The current SHA256 hash of 'XMDEClientAnalyzerBinary.zip' that is downloaded from the above link is: 'E8D1B752A937E9AB305AE3C30737E31D75AE6FF9299002AB23F5C463C77DD159'

+ echo 'E8D1B752A937E9AB305AE3C30737E31D75AE6FF9299002AB23F5C463C77DD159 XMDEClientAnalyzerBinary.zip' | sha256sum -c

+ 2. **SupportToolmacOSBinary.zip** : For Intel-based Mac devices

+ 3. **SupportToolmacOS-armBinary.zip** : For Arm-based Mac devices

+ ```console

+ unzip -q SupportToolLinuxBinary.zip

+ ```

+ - Intel-based Mac

+ ```console

+ unzip -q SupportToolmacOSBinary.zip

+ ```

+ - For Arm-based Mac devices

+ ```console

+ unzip -q SupportToolmacOS-armBinary.zip

+ ```

+> >[!WARNING]

+> >Running the Python-based client analyzer requires the installation of PIP packages which may cause some issues in your environment. To avoid issues from occurring, it is recommended that you install the packages into a user PIP environment.

+ echo '24241D30F4A19F982B83295BEF005184C0AB04F6BA1B709F0C111AADA25239C5 XMDEClientAnalyzer.zip' | sha256sum -c

+Collect extensive machine performance tracing for analysis of a performance scenario that can be reproduced on demand.

+Follow this to approve profile installation: [Apple Support Guide](https://support.apple.com/guide/mac-help/configuration-profiles-standardize-settings-mh35561/mac#:~:text=Install%20a%20configuration%20profile%20you%E2%80%99ve%20received).

+> This functionality exists for Linux only.

+Usage example: `sudo ./MDESupportTool exclude -d /var/foo/bar`

+Usage example: `sudo ./mde_support_tool.sh ratelimit -e true`

+Usage example: `sudo ./mde_support_tool.sh skipfaultyrules -e true`

+ Description: Same diagnostic output that gets generated when running *mdatp diagnostic create* on either [macOS](mac-resources.md#collecting-diagnostic-information) or [Linux](linux-resources.md#collect-diagnostic-information).

+Defender Vulnerability Management premium capabilities are available to server devices with Microsoft Defender for Servers Plan 2.

+> Client devices will require the Defender Vulnerability Management add-on license to access Defender Vulnerability Management premium capabilities.

+> To use the premium vulnerability management capabilities for your client devices, see [Try Defender Vulnerability Management Add-on trial for Defender for Endpoint Plan 2 customers](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers).

+The capabilities are only available through the [Microsoft Defender 365 portal](https://security.microsoft.com/homepage).

+|[Block vulnerable applications](tvm-block-vuln-apps.md)|-|Γ£ö|

+* Using [advanced hunting](advanced-hunting-overview.md), search for the identified process in the process creation events on other devices.

+|**Spoof intelligence Off**|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` and `p=reject` DMARC policies use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** and **If the message is detected as spoof and DMARC policy is set as p=reject** actions in anti-phishing policies.|Implicit email authentication checks aren't used. Explicit email authentication failures for `p=quarantine` DMARC policies are quarantined, and failures for `p=reject` DMARC policies are quarantined.|

+> [!NOTE]

+> If the MX record for the domain points to a third-party service or device that sits in front of Microsoft 365, the **Honor DMARC policy** setting is applied only if [Enhanced Filtering for Connectors](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) is enabled for the connector that receives inbound messages.

+- **Show user impersonation unusual characters safety tip**: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in a sender specified in [user impersonation protection](#user-impersonation-protection). Available only if **Enable users to protect** is turned on and configured.

+ |**Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder.┬╣|Γ£ö^\*|Γ£ö^\*|Γ£ö|┬▓|Γ£ö^\*|

+ |**Add X-header**: Adds an X-header to the message header and delivers the message to the mailbox. <br/><br/> You enter the X-header field name (not the value) later in the **Add this X-header text** box. <br/><br/> For **Spam** and **High confidence spam** verdicts, the message is moved to the Junk Email folder.┬╣ ┬│|Γ£ö|Γ£ö|Γ£ö||Γ£ö|

+ |**Prepend subject line with text**: Adds text to the beginning of the message's subject line. The message is delivered to the mailbox and moved to the Junk email folder.┬╣ ┬│ <br/><br/> You enter the text later in the **Prefix subject line with this text** box.|Γ£ö|Γ£ö|Γ£ö||Γ£ö|

+ |**Quarantine message**: Sends the message to quarantine instead of the intended recipients. <br/><br/> You select or use the default _quarantine policy_ for the spam filtering verdict in the **Select quarantine policy** box that appears.⁴ Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy). <br/><br/> You specify how long the messages are held in quarantine in the **Retain spam in quarantine for this many days** box.|✔|✔|✔^\*|✔^\* ⁵|✔|

+ In hybrid environments where EOP protects on-premises Exchange mailboxes, you need to configure mail flow rules (also known as transport rules) in on-premises Exchange to translate the EOP spam filtering verdict. For details, see [Configure EOP to deliver spam to the Junk Email folder in hybrid environments](/exchange/standalone-eop/configure-eop-spam-protection-hybrid).

+ ┬▓ For **High confidence phishing**, the **Move message to Junk Email folder** action is effectively deprecated. Although you might be able to select the **Move message to Junk Email folder** action, high confidence phishing messages are always quarantined (equivalent to selecting **Quarantine message**).

+ ┬│ You can this use value as a condition in mail flow rules to filter or route the message.

+ ⁴ If the spam filtering verdict quarantines messages by default (**Quarantine message** is already selected when you get to the page), the default quarantine policy name is shown in the **Select quarantine policy** box. If you _change_ the action of a spam filtering verdict to **Quarantine message**, the **Select quarantine policy** box is blank by default. A blank value means the default quarantine policy for that verdict is used. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. For more information about the quarantine policies that are used by default for spam filter verdicts, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).

+ ⁵ Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined high-confidence phishing messages.

+ > If [reporting for Microsoft Purview Communication Compliance is turned off](/purview/communication-compliance-policies#user-reported-messages-policy), users might not have the dropdown list to select **Security risk - Spam, phishing, malicious content**. Instead, they're shown a confirmation pop-up.

+> Currently, ZAP is available for internal messages that are identified as malware or high confidence phishing.

+>

+> Currently, blocking potentially malicious messages by ZAP is supported only for Teams Chats. Channels and external messages aren't supported.

+Admins can view and manage these quarantined messages in the Quarantine view. For more information, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md#use-the-microsoft-365-defender-portal-to-manage-microsoft-teams-quarantined-messages). Currently, you can't view or manage quarantined Teams messages unless you're an admin.

+ - Exceptions are only honored when all users in the chat are on the exception list.

+|Parameter|Description|Value|

+|ExemptDomains|List of domains exempt from ZAP.|`ExceptIfRecipientDomainIs`|

+ Title: Create your collaboration governance plan

+description: Learn how to create your collaboration governance plan

+Thinking about governance first means starting your Microsoft 365 journey with some key decisions to best position for overall success. Some of these decisions include:

+- What type of content can be published in each type of environment ΓÇô and what features need to be enabled to prevent users from accidentally publishing information in inappropriate locations? [Learn about information protection in Microsoft 365](/purview/information-protection).

+Governance planning for Microsoft 365 is about making sure that you are protecting your critical information assets while minimizing risk. Governance includes several key areas, each of which needs to be planned, coordinated, and adapted to align with changing organizational needs and the evolution of the technology.

+- **Information Assurance** ΓÇô managing content throughout the life cycle, treating information as an asset, including records management, compliance, and security. Information assurance requires an understanding of both business goals and regulatory requirements. Ideally, you want to use automated policies that prevent users from making mistakes or warn them in scenarios where they need to make an informed decision. Where it is not possible to enforce by policy, you need to plan for education and training.

+- **Outcomes Assurance** ΓÇô steering empowered site or team owners in the right direction to achieve business results. Outcomes assurance is largely about providing guidance to content authors and site, group, and team owners ΓÇô ensuring that the appropriate training is available to ensure that they know how to make good choices to get desired outcomes within overall organizational standards and practices.

+For example, one of the key empowering capabilities of Microsoft 365 is the ability to easily work collaboratively with people outside your organization. Some organizations in some industries choose to block all external sharing. Others enable external sharing in specific scenarios or with specific organizations. There is no right or wrong governance decision when it comes to external sharing ΓÇô and there are many different scenarios where you can enable different settings in Microsoft 365 to allow sharing in some cases and block it in others. If you are just beginning your journey from an on-premises environment to the cloud, it is important to think about external sharing decisions and understand the benefits and risks associated with the different available options.

+Your investment in Microsoft 365 is only as good as the value of the content and experiences you enable ΓÇô so thinking about governance at the start of your journey ensures that you neither lock down or enable too much before you have had a chance to understand and evaluate the implications of each decision. There are multiple "knobs and dials" you can turn in Microsoft 365. An effective governance plan is critical to achieve business goals ΓÇô but governance is about balancing risk with benefits. If we lock everything down, people will find a way to work around the rules if they need to do so to get work done.

+- **Align to business priorities**. The time to start thinking about governance is when you are identifying the key business priorities for the solutions you build in Microsoft 365. These key business outcomes define the context for governance planning. This is important because your business goals can help you define how much time and energy you need to invest in governance. For example, if improving content discoverability across the organization is not very important, you probably do not need to spend too much time focused on enforcing or planning file naming conventions. If, on the other hand, you want to help reduce instances of multiple versions of the same document in various repositories across the enterprise, then your governance decisions need processes and policies and training to ensure that content authors understand how to name files and follow "one copy of a document" guidance to make sure content is posted in only one location. It also means that you need a process to ensure that you are not unnecessarily creating more than one site or team for the same purpose.

+Many governance decisions can be implemented by turning on or off features in Microsoft 365. That can help enforce your governance standards but it may not help the people in your organization understand what is available to them and why (or why not).

+- **Embed governance decisions directly in the solutions you create**. If you want to ensure that sensitive information is protected throughout Microsoft 365, implement sensitivity labels to ensure that your users don't accidentally expose information that they shouldn't. Block the applications where you can't provide the appropriate protection. [Learn more about sensitivity labels](/purview/sensitivity-labels).

+- **Deliver as a site, not a document**. Create your own Microsoft 365 Adoption Center in a SharePoint communication site to ensure that your content authors and site and team owners understand not just "how to" but also "how should." Create topic-specific pages that address different business scenarios to provide both guidance and best practice to use or enable different capabilities in SharePoint and Teams and other applications to achieve business outcomes. Make these pages part of your [SharePoint intranet](/sharepoint/plan-intranet).

+- Because it is so easy for users to create Microsoft 365 groups and teams, you may want to open group and team creation so that IT is not inundated with requests to create them on behalf of other people. To avoid sprawl, you could create a custom workflow that sends an email with governance, training, and other information to group and team creators. (For example, "You just created a site/team, community, etc. -- here are your responsibilities and links to training...") On the other hand, depending on your business, you might want to control who has the ability to create groups.

+- If you lock everything down, people will find a work-around. Try to understand the key business scenarios your users want to enable and provide guidelines and training as appropriate.

+In addition to your governance team, there are several other key roles or teams that can help position your organization for success with Microsoft 365. Some roles may be combined or filled by the same person and others may not be appropriate for all organizations. Most organizations have an Executive Sponsor for Microsoft 365 as a whole and some also have a Steering Committee or team either for Microsoft 365 as a whole or just for the intranet. [Learn more about the comprehensive admin roles and permissions available in Microsoft 365](/microsoft-365/admin/add-users/admin-roles-page).

+- Can you incorporate "how should" with your "how to" training? In other words, can you create a "user resource center" for Microsoft 365 where you can provide resources and training to help provide guidance and training that helps users adopt Microsoft 365 effectively? The best governance content provides guidance that helps all users adopt and get the most value from Microsoft 365.

+- Can you create a Microsoft 365 Champions program for your organization? Consider joining the worldwide [Microsoft 365 champions program](https://aka.ms/O365Champions) to get ideas and approaches for your own champions program and to connect with like-minded people and thought leaders from within and around Microsoft.

+ Title: A collaboration governance framework for Microsoft 365

+description: Learn governance best practices for Microsoft 365 collaboration tools, including Microsoft 365 Groups, Teams, SharePoint, and Viva Engage.

+Organizations today are using a diverse tool set. There's the team of developers using team chat, the executives sending email, and the entire organization connecting over enterprise social. Multiple collaboration tools are in use because every group is unique and has their own functional needs and work style. Some will use only email while others will live primarily in chat.

+If users feel the IT-provided tools do not fit their needs, they will likely download their favorite consumer app which supports their scenarios. Although this process allows users to get started quickly, it leads to a frustrating user experience across the organization with multiple logins, difficulty sharing, and no single place to view content. This concept is referred to as "Shadow IT" and poses a significant risk to organizations. It reduces the ability to uniformly manage user access, ensure security, and service compliance needs.

+Services such as Microsoft 365 groups, Teams, and Viva Engage empower users and reduces the risk of shadow IT by providing the tools needed to collaborate. Microsoft 365 has a rich set of tools to implement any governance capabilities your organization might require.

+Microsoft 365 groups let you choose a set of people with whom you wish to collaborate, and easily set up a collection of resources for those people to share. Adding members to the group automatically grants the needed permissions to all assets provided by the group. Both Teams and Viva Engage use Microsoft 365 groups to manage their membership.

+Microsoft 365 groups include a suite of linked resources that users can use for communication and collaboration. Groups always include a SharePoint site, Planner, and a mailbox and calendar. Depending on how you create the group, you can optionally add other services such as Teams, Viva Engage, and Project.

+|[Calendar](https://support.office.com/article/0cf1ad68-1034-4306-b367-d75e9818376a)|For scheduling events related to the group|

+|[Inbox](https://support.office.com/article/a0482e24-a769-4e39-a5ba-a7c56e828b22)|For email conversations between group members. This inbox has an email address and can be set to accept messages from people outside the group and even outside your organization, much like a traditional distribution list.|

+|[OneNote notebook](https://support.office.com/article/e768fafa-8f9b-4eac-8600-65aa10b2fe97)|For gathering ideas, research, and information|

+|[Planner](https://support.office.com/article/4a9a13c6-3adf-4a60-a6fc-15c0b15e16fc)|For assigning and managing project tasks among your group members|

+|[SharePoint team site](https://support.office.com/article/75545757-36c3-46a7-beed-0aaa74f0401e)|A central repository for information, links and content relating to your group|

+|[Viva Engage](https://support.office.com/article/b565caa1-5c40-40ef-9915-60fdb2d97fa2)|A common place to have conversations and share information|

+- Outlook: collaboration through email, including with a shared group inbox and calendar

+**Teams: chat-based workspace (high velocity collaboration)**

+**Viva Engage: connect across the org (enterprise social)**

+**Mailbox and calendar (email-based collaboration)**

+ - Used for targeted communication with individuals or a group of people

+> When a new Microsoft 365 group is created via Viva Engage or Teams, the group isn't visible in Outlook or the address book because the primary communication between those users happens in their respective clients. Viva Engage groups cannot be connected to Teams.

+- **Have a strategy for communicating governance policies and guidelines in your organization** - create a Microsoft 365 Adoption Center in a [SharePoint communication site](https://support.microsoft.com/en-us/office/7fb44b20-a72f-4d2c-9173-fc8f59ba50eb) to communicate policies and procedures.

+- If your organization has deployed Teams, instruct your users to create a team when they need a collaboration space.

+Additionally, these add-on licenses provide enhanced governance capabilities:

+- [Microsoft Teams Premium](/microsoftteams/enhanced-teams-experience) provides compliance capabilities for meetings, including watermarks, encryption, and sensitivity labels.

+- [Microsoft Syntex - SharePoint Advanced Management](/sharepoint/advanced-management) provides policies for content access, collaboration and lifecycle management.

+- [Introduction to information protection and data lifecycle management in Microsoft Purview](/training/modules/m365-compliance-information-governance) - Learn how Microsoft 365 information protection and data lifecycle management solutions help you protect and govern your data, throughout its lifecycle.

+- [Microsoft Security, Compliance, and Identity Fundamentals: Describe the capabilities of Microsoft compliance solutions](/training/paths/describe-capabilities-of-microsoft-compliance-solutions/) - Learn about compliance solutions in Microsoft. Topics covered will include compliance, information protection, and governance in Microsoft 365, Insider Risk, audit, and eDiscovery solutions. Also covered are Azure resources governance capabilities.

+## Related topics

+ Title: SharePoint and Microsoft 365 Groups integration (IT Admins)

+description: Learn how admin settings for Microsoft 365 Groups and SharePoint can affect each other and the user experience.

+# SharePoint and Microsoft 365 Groups integration (IT Admins)

+|External sharing for organization and site|Determines if sites, files, and folders can be shared with people outside the organization.|If SharePoint and Microsoft 365 Groups settings don't match, guests in the group may be blocked from accessing the site, or external access may be available in the site but not the group.|When changing sharing settings, check both Microsoft 365 Groups settings and SharePoint site settings for group-connected team sites.<br><br>See [Collaborate with guests in a site](./collaborate-in-site.md).|

+|Domain allow/block|Allows or prevents content being shared with specified domains.|Microsoft 365 Groups doesn't recognize SharePoint allowlists or blocklists. Users from domains disallowed in SharePoint could gain access to SharePoint through a group.|Manage domain allowlists or blocklists for Azure AD and SharePoint together. Create an org-wide governance process for allowing and blocking domains.<br><br>See [SharePoint domain settings](/sharepoint/restricted-domains-sharing) and [Azure AD domain settings](/azure/active-directory/b2b/allow-deny-list)|

+|Allow only users in specific security groups to share externally|Specifies security groups who can share sites, folders, and files externally.|This setting doesn't affect group owners sharing Microsoft 365 groups externally. Group guests have access to the associated SharePoint site.||

+|SharePoint site sharing settings|Determines who can share the site directly outside of group membership. (The group or site owner configures this setting.)|This setting doesn't affect the group directly, but it can allow users to be added to a site and not have access to other group resources|Consider using this setting to limit sharing of the site directly and manage site access through the group.|

+## The effects of Microsoft 365 Groups settings on SharePoint

+|Microsoft 365 Groups setting|Description|Effect on SharePoint|Recommendation|

+|Group guest access|Specifies if people outside the organization can be added to groups.|If SharePoint and Microsoft 365 Groups settings don't match, guests in the group may be blocked from accessing the site, or external access may be available in the site but not the group.|When changing sharing settings, check both Microsoft 365 Groups settings and SharePoint site settings for group-connected team sites.<br><br>See [Collaborate with guests in a site](./collaborate-in-site.md)|

+|Group creation by security group|Only members of a specific security group can create Microsoft 365 groups.|Users who aren't members of the security group can't create a group-connected team site.|Be sure your process for requesting a group includes instructions for requesting a site.|

+|Group expiration policy|Specifies a time period after which Microsoft 365 groups that aren't actively used are automatically deleted.|When the group is deleted, the associated SharePoint site is also deleted. Content protected by retention policies is retained.|Use expiration policies to avoid sprawl of unused Microsoft 365 groups and sites.|

+ Title: Overview of image tagging in Microsoft Syntex

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn about image tagging in Microsoft Syntex.

+# Overview of image tagging in Microsoft Syntex

+Microsoft Syntex makes it easier to find and manage images in SharePoint document libraries. It does this process by automatically tagging images with descriptive keywords using AI. These keywords are stored in a managed metadata column (the **Image Tags** column), which makes it easier to search, sort, filter, and manage the images.

+

+The image tagging feature makes it even easier to tag images without any training, thereby reducing the need for manual tagging or custom AI model building. This result means you can quickly find images in your libraries and set up processes based on the tags for the images.

+## Requirements and limitations

+### Supported file types

+Image tagging is available for the following image file types: .bmp, .png, .gif, .jpeg, .jpg, .tif, .tiff, .ari, .arw, .bay, .cap, .crw, .cr2, .cr3, .dcr, .dcs, .dng, .drf, .eip, .erf, .fff, .heic, .heif, .iiq, .kdc, .k25, .mef, .mos, .mrw, .nef, .nrw, .orf, .pef, .ptx, .pxn, .raf, .raw, .rwl, .rw2, .sr2, .srf, .srw, .x3f, and .3fr.

+### Current release notes

+- **Time taken to reflect tags getting in the **Image Tags** column:** Minimum: 5 minutes, maximum: 24 hours.

+- **Image Tags is an editable taxonomy column:** You can add new tags or remove the AI-generated tags as needed to meet your requirements.

+- **Custom metadata already applied:** If the image already has custom metadata applied to it, that information is extracted and shown in the **Image Tags** column.

+- **Existing image processing:** Currently, existing images aren't processed when image tagger is enabled. Any newly uploaded images are processed for automatic image tagging.

+- **Responsible AI guidelines:** Send us feedback on the image tagging quality. We monitor feedback closely and take appropriate action based on the feedback.

+<!

+# Set up image tagging in Microsoft Syntex

+(Coming soon)

+With image tagging in Microsoft Syntex, users can find images through search by searching on image tags, and create workflows based on image tags. By default, basic image tagging is turned on for SharePoint and OneDrive. Images uploaded to either location are automatically scanned and applicable tags are applied, if available, from a list of 37 basic tags. Users can find images through search by searching on the image tags.

+When a user uploads an image, the tagging process runs automatically. If an image is edited, the tagging process runs again to update the tags.

+Users with permissions to the image file can see and edit the tags in the file information panel or in the search results page. Once a user edits an image's tags, the system no longer auto-tags that image, even if it's edited.

+If you turn tagging off, images will no longer be automatically tagged. Existing tags won't be removed.

+> [!NOTE]

+> System generated tags may change with updates to the image or our tag technology.

+## Configure image tagging

+After you [set up Syntex](set-up-content-understanding.md), you can configure image tagging in the Microsoft 365 admin center.

+To turn image tagging on or off

+1. In the Microsoft 365 admin center, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2171997" target="_blank">**Setup**</a>.

+2. Under **Organizational knowledge**, click **Automate content understanding**.

+3. Click **Manage**.

+4. On the **Image tagging** tab, click **Edit**.

+5. Choose to allow **Basic tagging** or turn tagging **Off**.

+6. Click **Save**.

+ 

+>

+ Title: Set up and manage image tagging in Microsoft Syntex

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Learn how to set and configure image tagging in Microsoft Syntex.

+# Set up and manage image tagging in Microsoft Syntex

+The image tagging service for Microsoft Syntex is set up in the Microsoft 365 admin center.

+## Prerequisites

+### Licensing

+Before you can use image tagging in Syntex, you must first link an Azure subscription in [Syntex pay-as-you-go](syntex-azure-billing.md). Image tagging in Syntex is billed based on the [type and number of transactions](syntex-pay-as-you-go-services.md).

+### Permissions

+You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up image tagging in Syntex.

+## Set up image tagging

+After an [Azure subscription is linked to Microsoft Syntex](syntex-azure-billing.md), image tagging will be automatically set up and enabled for all SharePoint sites.

+Although you enable pay-as-you-go billing for image tagging, you'll be charged only when [image tagging is enabled on a document library](image-tagging.md).

+## Manage sites

+By default, image tagging is available for libraries on all SharePoint sites. To turn off image tagging on all sites, follow these steps.

+1. In the Microsoft 365 admin center, select <a href="https://go.microsoft.com/fwlink/p/?linkid=2171997" target="_blank">**Setup**</a>, and then select **Use content AI with Microsoft Syntex**.

+2. On the **Use content AI with Microsoft Syntex** page, select **Manage Microsoft Syntex**.

+3. On the **Manage Microsoft Syntex** page, select **Image tagging**.

+4. On the **Image tagging** page, select **No libraries**, and then select **Save**.

+Before you can use image tagging, you need to enable it in a document library. There are two methods you can use to do this:

+## Use an existing Image Tags column

+## Enable the Image Tags column

+|Image tagging | [Set up image tagging](image-tagging-setup.md) |

+|Optical character recognition | [Set up optical character recognition](ocr.md) |

+## Related articles

+### Image tagging

+ :::column span="3":::

+ Use image tagging in Syntex to find and manage images in SharePoint document libraries. Syntex automatically tags images with descriptive keywords using AI. These keywords are stored in a managed metadata column, making it easier to search, sort, filter, and manage the images.

+ :::column-end:::

+ :::column span="":::

+ 

+ :::column-end:::

+[Learn more about image tagging in Microsoft Syntex.](image-tagging-overview.md)

+ Understanding your content allows for better compliance control and increases management and governance options for all your data. When content is properly tagged and labeled, you have better control over your data and can follow regulations more easily. Syntex helps you ensure compliance by using retention labels and sensitivity labels to manage your documents.

+|Prebuilt document processing|The number of pages processed for PDF or image files. Each of these counts as one transaction. You won't be charged for model training. You'll be charged for processing whether or not there's a positive classification, or any entities extracted.<br><br>Processing occurs on document upload and on subsequent updates. Processing is counted for each model applied. For example, if you have two models applied to a library and you upload or update a five-page document in that library, the total pages processed is 10.|$0.01/transaction|

+|Unstructured document processing|The number of pages processed for Word, PDF, or TIFF files; the number of sheets for Excel files; the number of slides for PowerPoint files; or the number of files for other file types. Each of these counts as one transaction. You won't be charged for model training. You'll be charged for processing whether or not there's a positive classification, or any entities extracted.<br><br>Processing occurs on document upload and on subsequent updates. Processing is counted for each model applied. For example, if you have two models applied to a library and you upload or update a five-page document in that library, the total pages processed is 10.|$0.05/transaction|

+|Image tagging |The number of images processed. Each processed image counts as one transaction. You wonΓÇÖt be charged if you only enable pay-as-you-go billing for image tagging. You'll be charged only when you [enable image tagging on a document library](image-tagging.md). |$0.001/image |

+|Optical character recognition |The number of pages processed for images (JPEG, JPG, PNG, or BMP); the number of pages processed for PDF, TIF, or TIFF; or the number of embedded images in Teams chats and email messages. Each of these counts as one transaction. Processing occurs every time the file is edited. |$0.001/transaction|

+## Related articles

+[Configure pay-as-you-go billing](syntex-azure-billing.md)